PHP SQL Get Date Time from Username and compare to todays date

Question

I want to get Date Time from specified Username and compare to todays date. I'm using a database.

  $con = mysqli_connect("server", "name", "pass", "db");
  if(!$con) {
    die("noconn");
  }
  
  $HWID = "";
  if(isset($_POST['HWID']) && !empty($_POST['HWID'])) {
    $HWID = mysqli_real_escape_string($con, $_POST['HWID']);
    $HWID = ($HWID);
  }
  elseif(isset($_GET['HWID']) && !empty($_GET['HWID'])) {
    $HWID = mysqli_real_escape_string($con, $_GET['HWID']);
    $HWID = ($HWID);
  } else {
    die("nodata");
  }

  $rows= "";
  if(isset($_GET['Expire_Date'])){
      $id=$_GET['Expire_Date'];
      $sql="SELECT HWID FROM users WHERE Expire_Date='$id'";
      $result=mysql_query($sql); 
      $rows=mysql_fetch_array($result);
  }

  if (strtotime((new DateTime())->format("Y-m-d H:i:s")) > strtotime($rows)) {
    die("valid");
  } else {
    die("invalid");
  }

The code works together with C#

    dataToSend["HWID"] = HWID();
    string GetData = Encoding.UTF8.GetString(wc.UploadValues(@"http://127.0.0.1/test.php", dataToSend));

    if (GetData == "valid")
    {
        MessageBox.Show("date is valid", "Error!", MessageBoxButtons.OK, MessageBoxIcon.Error);
    }
    else if (GetData == "invalid")
    {
        MessageBox.Show("date is not valid", "Error!", MessageBoxButtons.OK, MessageBoxIcon.Error);
    }

Let's say HWID (Hardware ID) is an username 18585B53C213CA86DE91BE1E2772D66C6EC3F32F in a database and there's a date specified 2021-07-01. So when the date will run out, it will tell invalid, otherwise if it's not out, it'll tell valid. Every time I try this code it gives me valid. I'm not sure if I specified the username correctly or didn't compare correctly.

`strtotime($rows)` - you're attempting to create a timestamp from an array containing data of the whole row. You need to select just one column, the one containing the actual date. — El_Vanja, Jun 01 '21 at 09:06
**Warning:** You are wide open to [SQL Injections](https://php.net/manual/en/security.database.sql-injection.php) and should use parameterized **prepared statements** instead of manually building your queries. They are provided by [PDO](https://php.net/manual/pdo.prepared-statements.php) or by [MySQLi](https://php.net/manual/mysqli.quickstart.prepared-statements.php). Never trust any kind of input! Even when your queries are executed only by trusted users, [you are still in risk of corrupting your data](http://bobby-tables.com/). [Escaping is not enough!](https://stackoverflow.com/q/5741187) — Dharman, Jun 01 '21 at 09:28
`strtotime((new DateTime())->format("Y-m-d H:i:s")` looks way too overcomplicated. Why not just use `time()` instead? — shaedrich, Jun 01 '21 at 11:54

Dharman · Answer 1 · 2021-06-01T15:24:09.567

1

First of all, you should be using prepared statements. If you want to use mysqli then I show you how to do it below, but I would strongly recommend learning PDO instead.

You can check DateTime objects against themselves. No need to use the old strtotime() function. You just need to select the single value from the database.

<?php

mysqli_report(MYSQLI_REPORT_ERROR | MYSQLI_REPORT_STRICT);
$con = mysqli_connect("server", "name", "pass", "db");

$HWID = "";
if (!empty($_POST['HWID'])) {
    $HWID = $_POST['HWID'];
} elseif (!empty($_GET['HWID'])) {
    $HWID = $_GET['HWID'];
} else {
    die("nodata");
}

$stmt = $con->prepare("SELECT Expire_Date FROM users WHERE HWID=?");
$stmt->bind_param('s', $HWID);
$stmt->execute();
$result = $stmt->get_result();
$row = $result->fetch_object();
$Expire_Date = $row->Expire_Date;

if (new DateTime() > new DateTime($Expire_Date)) {
    die("valid");
} else {
    die("invalid");
}

edited Jun 01 '21 at 15:24

answered Jun 01 '21 at 09:37

Dharman

30,962
25
85
135

I noticed that it gives a HWID to compare and not the database time from a specified HWID. – Matt Thhh Jun 01 '21 at 11:13
@MattThhh Yeah, I didn't really know where you were getting the date from – Dharman Jun 01 '21 at 11:17
I want to get the database time from a specified HWID in database. [This is how the database are looking](https://prnt.sc/13o2t59) – Matt Thhh Jun 01 '21 at 11:50
I removed the GET input and swapped around the SELECT statement. Is this what you meant? – Dharman Jun 01 '21 at 11:54
It says undefined variable Expire_Date on line 23 – Matt Thhh Jun 01 '21 at 14:59
@MattThhh It's defined two lines above – Dharman Jun 01 '21 at 15:03
I get blank as output so I did like that [Link](https://hastebin.com/zinasoqoma.php) – Matt Thhh Jun 01 '21 at 15:22
If `$_GET['Expire_Date']` is not set then `$Expire_Date` won't be set either. I removed that line from my answer as I have no idea what you were trying to do there – Dharman Jun 01 '21 at 15:23

score -1 · Answer 2 · answered Jun 01 '21 at 09:38

As El_Vanja say, your problem is the strtotime($rows). When you fetch your rows with $rows=mysql_fetch_array($result); you get an array with all selected columns(see doc here, you should take care it's depreciated since PHP 5.5 and remove from PHP 7.0 and above). When you read the doc of strtotime your first argument must be a string.

To fix your error you just have to replace $rows=mysql_fetch_array($result); by $rows=mysql_fetch_array($result[0]); or $rows=mysql_fetch_array($result["HWID"]);. Personnaly I prefer the second one is more readable.

PHP SQL Get Date Time from Username and compare to todays date

2 Answers2